Forum Discussion

squeezebox_2829's avatar
squeezebox_2829
Icon for Nimbostratus rankNimbostratus
Aug 10, 2016
Solved

Multiple Switch statements in a single iRule

Hi there,   I have several ranges of addresses which I want to see if traffic is coming from and deny traffic. Say the ranges are as follows as an example:   10.11.0.0/16 10.12.0.0/16 10.13.13.0/...
addr
application delivery
BIG-IP
ip
iRules
switch
  • Vernon_97235's avatar
    Vernon_97235
    Aug 11, 2016

    Yes, but what you really want to do is use a Data Group. Let's say you have a Data Group that looks like this:

    create ltm data-group internal dg-address-matchers type ip \
  records add { 10.11.0.0/16 { data "action1" } \
                10.12.0.0/16 { data "action2" } \
                10.13.13.0/22 { data "action3" } ... }

    You would then use it thusly:

    when CLIENT_ACCEPTED {
    set indicator [class lookup [IP::client_addr] dg-address-matchers]
        
    switch [class lookup [IP::client_addr] dg-address-matchers] {
        action1 {
             ... do something ...
        }
                
        action2 {
             ... do something else ...
        }
        
         ... etc ... 
        
        "" {
             this means the IP matches no netblocks in the data-group
        }
    }
}
VernonWells's avatar
VernonWells
Icon for Employee rankEmployee
Aug 11, 2016

The data group format is somewhat different in v10:

but as long as the entries are declared as network, it should work.

If a Data Group is declared to be type ip then the 

equals
operator will perform network-wise comparisons against IP addresses.

  • squeezebox_2829's avatar
    squeezebox_2829
    Icon for Nimbostratus rankNimbostratus
    Aug 11, 2016

    I see, yes it seems to be working. When working with an external file to be used for a datagroup is there a way to program-atically trigger the BIGIP to re-read the file after a change has been made? It seems that changes to the file are not picked up until I go in via the GUI and update the data-group linked to the external file. Is there an API call I can issue to cause an updated file to be used? Thanks,